I’m doing a bit of work on an existing application that’s switching to auth0-spa-js. Currently we have custom claims added to the access token via a rule. It seems that auth0-spa-js does not include a public API for decoding the access token returned by getTokenSilently et al. Am I just missing something? Or do we need to update the rule to set the claims in the ID token and use getIdTokenClaims instead?
Welcome to the Auth0 community, @n.selikoff!
The access token is meant to be sent to an API/backend, and not to be decoded by the SPA (frontend). The SPA should treat it as an opaque string. This is why the SDK does not decode the access token or provide a method to access the contents.
The ID token can be used in the SPA though. As you’ve already figured out,
getIdTokenClaims() method can be used to get the claims.
Got it, thanks for clarifying and confirming @thameera!
Glad we have it figured out!